JavaScript Considered Harmful

Category

CTU Research

March 06, 2008By SecureWorks

There is an old saying that says, "To survive a bear attack you don't have to outrun the bear, you just have to outrun your friend." This analogy can also be applied, to some degree, to the Internet as well. In some instances, you don't have to completely secure yourself from hackers, you just have to be more secure than the next organization. Hackers go after low hanging fruit because it gives the most bang for their buck. This year it appears that client side attacks represent that low hanging fruit. The modern web browser is an incredibly complicated piece of software with a large attack surface. Throw on some third party software like ActiveX controls (most of which are chock full of buffer overflows) and you have a hacker's playground.

To make matters worse, all modern day browsers contain JavaScript interpreters which give attackers the ability to obfuscate their attacks in an infinite number of ways. Luckily there is a method for users to fight back against the majority of these JavaScript-based attacks: No Script (Firefox) and Trusted Sites (Internet Explorer).

These methods take the same approach to security: Enumerating the good. Instead of playing whack-a-mole with all the new type of attacks that appear you allow the list of sites where JavaScript is allowed to come from. To do this with Internet Explorer you must first disable active scripting for web sites in the "Internet" zone and then add trusted commonly access pages to the "Trusted Sites" zone. This change can be done through Active Directory and pushed out to all computers in your organization. To achieve the same effect in Firefox you must install the No Script extension. By default this plug-in will block all JavaScript, java and flash (no more flash ads) content. You can then enable this content on a per page basis or import a list of trusted sites. By using either one of these method you will be able to block the vast majority of browser-based attacks.